European Court of Justice imposes strict limits on telecoms data retention On 21 December 2016, the Grand Chamber of the European Court of Justice ("ECJ") held, in a landmark judgment, that EU Member States may not impose a general obligation to retain data on telecommunications companies. According to the ECJ, EU law does not allow a "general and indiscriminate retention of all traffic and location data" (Judgment, para. 131). Member States may, however, adopt legislation providing for the targeted retention of such data as a preventative measure for the purpose of fighting serious crime, provided that such retention is limited to what is strictly necessary. Access of national authorities to such retained data "must be restricted solely to fighting serious crime", be "subject to prior review by a court or an independent administrative authority" (Judgment, para. 131) and retained data must be stored within the European Union. This judgment follows the ECJ's judgment in 2014, invalidating the Data Retention Directive on the grounds that it seriously interferes with fundamental rights. Despite this ruling, several Member States believed that they were not prevented from keeping or enacting national data retention laws. This gave rise to two preliminary ruling procedures regarding the national data retention laws of Sweden and the United Kingdom (C-203/15 and C-698/15); both cases which were joined by the ECJ and resulted in the present judgment. National legislation on data retention falls within the scope of EU law As a first step, the Court had to determine whether national legislation on data retention falls within the scope of EU law, specifically the ePrivacy Directive (2002/58/EC). It was controversial whether the ePrivacy Directive only governs legislation relating to the retention of traffic and location data or also legislation relating to the access of national authorities to retained data, for the purpose of combating crime. The Court holds that both issues are covered by the ePrivacy Directive, as amended by Directive 2009/136/EC, which is to be read in the light of the fundamental right to privacy and the right to protection of personal data, enshrined in Art. 7 and 8 of the Charter of Fundamental Rights of the European Union ("Charter"). Consequently, national legislation on data retention, including the issue of access of national authorities to retained data, must comply with the provisions set out in the ePrivacy Directive. ECJ's criteria for national legislation relating to the retention of traffic and location data Against this background, the Court analyzes the principle of confidentiality of communications established by Art. 5 para. 1 of the ePrivacy Directive. This principle prohibits the interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned. However, Art. 15 para. 1 of the ePrivacy Directive provides for an exception to this principle, thus enabling the member states to adopt national legislation for the retention of data. According to the ECJ, this exception clause must be interpreted "strictly", which means that the adoption of data retention measures cannot become the rule, but must remain the exception (Judgment, para. 89). Furthermore, such measures may only be adopted to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communication system. The Court emphasizes that this is an exhaustive list of objectives (Judgment, para. 90). Reading Art. 15 para. 1 of the ePrivacy Directive in the light of the Charter and the Court's settled case law on fundamental rights, the ECJ holds that data retention measures "must be strictly proportionate to the intended purpose" (Judgment, para. 95). In contrast, a general and indiscriminate retention of all traffic and location data would "allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained" (Judgment, para. 99). In this regard, the ECJ especially criticizes that the persons concerned could "feel that their private lives are the subject of constant surveillance " (Judgment, para. 100). As a result, only "the objective of fighting serious crime" justifies data retention measures (Judgment, para. 102). However, even in the cases of organized crime and terrorism, a general and indiscriminate retention of all traffic and location data is not admissible since such a broad measure would affect all persons using electronic communication services. Instead, there must be a "relationship between the data which must be retained and a threat to public security". This means that data retention measures always must be limited, for example, to "(i) data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved, in one way or another, in a serious crime, or (ii) persons who could, for other reasons, contribute, through their data being retained, to fighting crime" (Judgment, para. 106). Consequently, national data retention laws "must, in particular, indicate in what circumstances and under which conditions a data retention measure may, as a preventive measure, be adopted, thereby ensuring that such a measure is limited to what is strictly necessary" (Judgment, para. 109). In addition, it "must be based on objective evidence which makes it possible to identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences, and to contribute in one way or another to fighting serious crime or to preventing a serious risk to public security" (Judgment, para. 111). ECJ's criteria for national legislation relating to the access of national authorities to retained data The ECJ holds that national legislation must set out substantive and procedural rules – based on objective criteria – for the access of national authorities to data that have been retained. Therefore, access may be granted "in relation to the objective of fighting crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime". However, the ECJ lowers the bar for the combat against terrorism. In such cases "access to the data of other persons might also be granted where there is objective evidence from which it can be deduced that that data might, in a specific case, make an effective contribution to combating such activities" (Judgment, para. 119). In addition, access to retained data must be subject to prior review carried out either by a court or by an independent administrative body (except in cases of emergency) and data subjects affected must be notified as soon as this would no longer endanger the purpose of the measure. Also, there must be "a particularly high level of protection and security" for retained data "by means of appropriate technical and organisational measures". Furthermore, the data must be retained within the European Union and irreversibly destructed at the end of the retention period. Finally, compliance of national data retention law with the aforementioned principles and rules must be subject to control by an independent authority (Judgment, para. 120 - 123). Consequences for national data retention laws Law-makers in the Member States will now have to assess whether or not their national data retention laws meet the requirements which the ECJ has established under Art. 15 para. 1 ePrivacy Directive. National constitutional courts may be called upon to scrutinize data retention laws and will need to apply the strict criteria developed by the ECJ. Even in EU jurisdictions where constitutional court actions against national data retention laws are not possible, courts that are called upon to review specific data retention measures may ask the ECJ for preliminary rulings on the underlying national data retention laws. German data retention rules partly invalid? The German Data Retention Act ("DRA"), which entered into force on December 18, 2015 and will need to be applied by telecommunications operators as from July 1, 2017, has been brought before the Federal Constitutional Court. The DRA provides for the general and indiscriminate retention of traffic and location data of all users of publicly available telephone services as well as publicly available internet access services. This means that the DRA provides for no differentiation, limitation or exception as regards the data retention measures, but affects all persons using electronic communications, including those who have no link with serious criminal offences. As a result, the DRA clearly exceeds the limits of what is strictly necessary according to principles and rules set out in the present ECJ judgment. As regards the access to data that have been retained, the DRA allows authorities to use such data not only in cases of serious crimes as required by the present ECJ judgment. In addition, authorities also may access retained data to prevent a concrete danger to health, life or freedom of a person or to prevent danger to the existence of the Federal Republic of Germany or one of its States. On the other hand, the DRA complies with the requirement to ensure a particularly high level of protection and security for retained data by means of appropriate technical and organisational measures. Also, data retained under the DRA must be stored within Germany and has to be deleted at the end of the retention period. Unless the German government adjusts the DRA in line with the criteria established by the ECJ, it is likely that the data retention provisions as well as the rules on government access to retained data will not withstand judicial scrutiny. For more information, please contact Joachim Scherer or Andreas Neumann.